Edgar Fuß <ef%math.uni-bonn.de@localhost> writes: >> The other issue is that I am not clear on if there is adequate support >> dynamic-remote-peer VPN (road warrior type, vs site-site), which often >> involves provisioning a private/internal address for the remote host to >> use inside a tunnel. > I thought that was exactly the point the L2TP-over-IPsec-Matroshka was > good for: you can't use tunnel mode when you don't have a local IP to > tunnel. > Or is there a more intelligent way than > PPP-over-L2TP-over-UDP-over-IPsec-over-IP-over-whatever? There is a way to do the equivalent of DHCP using IKE as the control protocol. So you have a RFC1918 address behind some NAT, do IPsec with NAT-T to get to the VPN gateway, and then get a perhaps-public inside-enterprise-firewall address over the IKE control connection, and then configure that somehow and use it for packets that are heading into the tunnel. I have seen this work with a proprietary VPN implementation on a proprietary OS. I've never tried to do it with NetBSD.
Attachment:
pgpUgbqQpBgw2.pgp
Description: PGP signature